b'                                        SOCIAL SECURITY\n\nMEMORANDUM                                                                            Refer To:\n\nDate:   September 10, 2004\n\nTo:     Martin H. Gerry\n        Deputy Commissioner\n         for Disability and Income Security Programs\n\nFrom:   Assistant Inspector General\n         Audit\n\nSubject: Evaluation of the Accelerated eDib System \xe2\x80\x93 Sixth Assessment (A-14-04-15005)\n\n\n\n        The Social Security Administration\xe2\x80\x99s (SSA) Office of the Inspector General has\n        completed its sixth assessment in our ongoing evaluation of the Accelerated eDib\n        (AeDib) initiative (formally the Electronic Disability or eDib initiative). We conducted this\n        sixth assessment from April 2004 through August 2004 at SSA Headquarters in\n        Baltimore, Maryland. While we did not conduct an audit of the AeDib initiative, our\n        assessment addresses issues that further secure the processing of sensitive SSA\n        information by the Disability Determination Services offices (DDS).\n\n        BACKGROUND\n\n        The enhancement of DDS systems to support paperless claims processing is included\n        as one of the four major software initiatives for AeDib.1 DDSs use a variety of hardware\n        and software platforms to store, process, and protect sensitive SSA information. For\n        example, as of March 2004, 51 IBM AS/400 midrange computers (AS/400) are used by\n        52 of the 54 DDSs2 as the hardware platform for case processing. Sensitive SSA data,3\n        processed and stored by each DDS, should be protected from inappropriate or\n        unauthorized access, use, and disclosure.\n\n        Operating system upgrade and maintenance procedures are one consideration in the\n        overall security and administration of a DDS AS/400. Operating system upgrades occur\n\n\n        1\n          Final Report prepared by Booz Allen Hamilton, eDib Program Management Plan, January 31, 2002,\n        page II-4.\n        2\n          The 52 DDSs include 48 States, District of Columbia, Puerto Rico, Guam and the Virgin Islands. Guam\n        and the Virgin Islands disability cases are processed on an AS/400 located in the Western Program\n        Service Center. Nebraska and New York use a different hardware platform.\n        3\n          Sensitive data downloaded from SSA to the DDS claims processing system include claimant SSN,\n        name, address, phone number, and date of birth.\n\x0cPage 2 - Martin H. Gerry\n\nwhen a DDS installs a new version/release of the AS/400 operating system.4 Operating\nsystem maintenance is achieved by installing fixes provided by IBM.5 DDSs that\nsubscribe with IBM, receive alerts6 of AS/400 fixes.\n\nThe Government Accountability Office7 (GAO) reported8 that patch management9 is a\ncritical process used to help alleviate many of the challenges involved with securing\ncomputing systems from attack. Figure 1 illustrates the dramatic growth in security\nvulnerabilities from 1995 to 2003.\n\nFigure 1. Security Vulnerabilities 1995-2003\n    Vulnerabilities\n      5000\n                                                                                           GAO stated that\n      4500                                                                                 from 1995 to 2003\n      4000                                                                                 the CERT\xc2\xae\n      3500                                                                                 Coordination\n      3000                                                                                 Center10 reported\n      2500                                                                                 just under\n      2000                                                                                 13,000 security\n      1500\n                                                                                           vulnerabilities that\n      1000\n                                                                                           resulted from\n       500\n                                                                                           software flaws.\n          0\n               1995   1996    1997    1998     1999    2000    2001    2002     2003\n      Source: GAO analysis based on Carnegie-Mellon University CERT\xc2\xae Coordination Center\n\n\nThe SSA and its affiliated DDSs each year request about 15 million medical and other\nrecords on behalf of claimants for Social Security disability benefits. SSA stated that\nthe Document Management Architecture (DMA) project, which includes electronic\nmedical evidence, is part of the AeDib effort that will create paperless automation to\nimprove the disability claim processing. DMA is an Agency-level initiative to define and\ndevelop the architecture and an infrastructure to address the known and future\ndocument capture, indexing, storage, retrieval, and management needs. The electronic\nmedical evidence project gives medical providers electronic options for submitting\nrecords and reports on behalf of disability claimants.\n\n\n\n4\n  IBM released Version 5 Release 3 of the operating system in June 2004. Version 5 Release 2 of the\noperating system is considered current for DDSs because the latest release has not been tested.\n5\n  IBM periodically creates fixes to correct problems or potential problems found within a particular IBM\nlicensed program. Fixes can consist of documentation and/or code. Fixes are also called Programming\nTemporary Fixes (PTFs). A PTF is temporary only in the sense that it disappears because it is integrated\nin the next release of the operating system.\n6\n  Alerts provide automatic problem prevention notification and defect identification and resolution\ninformation specific for a DDS operating system.\n7\n  The Government Accountability Office was formally known as the General Accounting Office.\n8\n  GAO Report GAO-04-816T, Information Security: Agencies Face Challenges in Implementing Effective\nSoftware Patch Management Processes, June 2, 2004, pages 3 and 4.\n9\n  Patch management is the process of applying software code into a program to temporarily fix a defect.\n10\n   This a center of Internet security expertise at the Software Engineering Institute, a Federally funded\nresearch and development center operated by Carnegie-Mellon University.\n\x0cPage 3 - Martin H. Gerry\n\nIn the paper environment, consultative examinations are submitted to the DDSs with a\nsignature. This signature \xe2\x80\x9c\xe2\x80\xa6 attests to the fact that the medical source doing the\nexamination or testing is solely responsible for the report contents and for the\nconclusions, explanations, or comments provided with respect to the history,\nexamination, and evaluation of laboratory test results.\xe2\x80\x9d11 To increase the medical\nproviders\xe2\x80\x99 use of electronic records in lieu of paper records, SSA has developed a free,\neasy-to-use website called eData that can safely upload the electronic medical\nevidence.\n\nAs defined by the National Institute of Standards and Technology (NIST),12 \xe2\x80\x9cElectronic\nauthentication (e-Authentication) is the process of establishing confidence in user\nidentities that are electronically presented to an information system.\xe2\x80\x9d Each\ne-Government application should be rated by its Agency on a 1 to 4 scale where Level 1\nprovides the lowest authentication assurance and Level 4 provides the highest\nassurance. An agency determines the assurance level of its application by conducting\nan e-Authentication Risk Assessment. As the consequences of an authentication error\nbecomes more serious, the required level of assurance increases and determines what\ncontrols should be in place. Including other controls that vary according to the\nassurance level, remote authentication is generally determined by the application\xe2\x80\x99s\nusers presenting some secret only they know or possess, such as a password.\n\nFor Electronic Consultative Examination (eCE) submissions via eData, the authenticity\nof the submission is determined by the following process. First, the DDS invites a CE\nprovider to participate in the process and if the invitation is accepted, the DDS and SSA\ncoordinate to establish an authorized Internet account. Next, after the medical provider\ncompletes a valid logon onto SSA\xe2\x80\x99s Internet account, the CE provider links the\nelectronic versions of the CE report and medical evidence to the submission screen and\ndesignates which DDS will receive the files. To submit these files, the CE provider must\nclick the Internet \xe2\x80\x9cAgree\xe2\x80\x9d button on the Click and Sign Certification screen (see\nAttachment D). Clicking on the \xe2\x80\x9cAgree\xe2\x80\x9d button creates the CE provider\xe2\x80\x99s electronic\nsignature that certifies the accuracy of the eCE files submitted. The process ends with\nthe Agency sending the CE provider a confirmation message. This certification process\nis referred to by the Agency as eCE Click and Sign.\n\nThe purposes of our sixth assessment of AeDib were to: (1) determine whether the\nAgency has implemented an operating system upgrade and maintenance program for\nthe IBM AS/400 computer systems used at DDSs; and (2) review the effectiveness of\nthe Agency\xe2\x80\x99s authentication risk assessment in addressing the risks associated with the\neCE Click and Sign process.\n\n\n\n\n11\n  See 20 C.F.R. \xc2\xa7\xc2\xa7 404.1519n(e), 416.919n(e).\n12\n  NIST Special Publication 800-63, version 1.0, \xe2\x80\x9cElectronic Authentication Guideline\xe2\x80\x9d, June 2004,\npage vi.\n\x0cPage 4 - Martin H. Gerry\n\nRESULTS OF OUR EVALUATION\n\nWe identified two areas of concern.\n\n     1. AS/400 operating system upgrade and preventive maintenance fixes were not\n        current for DDS AS/400s. As a result, AS/400s are vulnerable to unnecessary\n        system failures or breaches of security. Improvements are needed in the policies\n        and procedures for the DDS AS/400 upgrade and maintenance guidance.\n\n     2. The eCE Click and Sign process for consultative examinations began as the\n        DMA application risk assessment was concluding. As a result, there is a\n        possibility that all risks for the Click and Sign process have not been identified.\n        Now that the eCE Click and Sign process is expanding from a pilot, additional\n        risks need to be considered.\n\nSuggestions for an Operating System Version Upgrade and Maintenance Program\n\nWe analyzed the fourth quarter Calendar Year (CY) 2003 and first quarter CY 2004\nIBM Performance and Information Reports.13 As of March 2004, we determined that\n31 of the 51 DDS AS/400 systems had noncurrent operating systems.14 Only 1 of the\nremaining 20 systems with current operating systems and none of the 31 noncurrent\noperating systems had a 2004 cumulative fix level. A cumulative fix level is the primary\nmethod of performing preventive maintenance for AS/400 operating systems. It is\nusually issued quarterly and contains a cumulative package of group and individual\nfixes issued more frequently. We were advised that the information contained in this\nreport is not validated by SSA for accuracy. In addition, except for observing the\ncumulative fix level in the report, SSA does not know whether DDSs are current with fix\nupdates.15 See Attachment A for a listing of State Operating System Data by region.\n\nSSA has made great strides to upgrade the operating systems for the AS/400s used by\nDDSs. In December 2003, 46 of the 51 DDS AS/400 systems had noncurrent operating\nsystems. However, 15 upgrades were accomplished from December to March, which\nreduced the number of noncurrent operating systems to 31 and we were advised that as\nof July 14, 2004, only four DDSs require upgrades. These strides were achieved to\nallow SSA to take advantage of the Websphere MQ Series functionality16 in support of\nAeDib, not for version control purposes. Likewise, the cumulative fix levels for\n21 AS/400s improved from December to March.17 However, because such a large\nnumber of DDS systems have not installed a 2004 cumulative fix level, improvements in\nthe program are needed to ensure systems are updated.\n\n\n13\n   This quarterly report was designed for SSA to monitor the performance metrics of the AS/400 systems\nat DDSs. It also includes operating system version and maintenance data.\n14\n   The current operating system used by DDSs is version 5 release 2.\n15\n   IBM issues a variety of fix updates. A description of those updates is presented in Attachment B,\nProgram Temporary Fixes.\n16\n   Websphere MQ Series allows SSA to easily exchange information across different computer platforms,\nintegrating existing business applications in the process.\n17\n   Thirteen of the improvements were attributable to the operating system upgrade.\n\x0cPage 5 - Martin H. Gerry\n\nSSA\xe2\x80\x99s draft national disaster recovery plan for DDS AS/400s18 is less effective if the\noperating system version on the AS/400 maintained at the National Computer Center\n(NCC)19 is not the same as those in the DDSs. The NCC AS/400 is using\nversion 5 release 2 of the operating system, which is more current than 31 DDSs,\nas of March 2004. We were advised that cases processed on an AS/400 with an earlier\nversion of the operating system will not function on a newer release of the operating\nsystem.\n\nIf a DDS remains on a noncurrent AS/400 operating system release too long, it is likely\nto incur higher costs for an upgrade. Higher costs are incurred when a DDS needs to\ndo a multiple step upgrade, which would require implementing an interim release just to\nbe able to upgrade to the latest release. Upgrade costs are further increased if\nsubsequent releases, which supported a single step upgrade, are withdrawn from\nmarketing. In most of these cases, a DDS would then need to hire custom services to\nperform a potentially labor intensive upgrade from the back-level release to a current\none.\n\nIf DDSs are not current with maintenance fixes, they increase the risk of unplanned\noutages, system failures, and/or security breaches. A fix maintenance strategy is\nrecommended by IBM to potentially reduce the impact on operations that result from\nunplanned outages and program failures. In July 2004, we identified 5 security fixes\nissued in 2004 for the 20 DDS AS/400s on a current operating system. Because SSA\nlimits its tracking of fix updates to a review of the cumulative fix levels in the quarterly\nIBM Performance and Information Reports, it would not know whether all necessary\nfixes have been tested and installed by the DDSs. SSA needs a process to determine\nwhether other necessary fixes, such as individual fixes made available to DDSs with\nIBM alerts have been tested and installed.\n\nThe DDSs are expected to provide a controlled environment that meets SSA\xe2\x80\x99s minimum\nsecurity requirements. The DDS Security Document (DSD)20 was established as a\ncomprehensive approach to DDS security in August 2001. In January 2002, SSA\nissued a supplement for the DSD, which contains policies, procedures, and\nrecommendations for providing security on the AS/400.21 In September 2003, SSA\nissued an update to the DSD, merging the AS/400 supplement into the DSD.\nUnfortunately, as the supplement was merged into the updated version of the DSD, the\nAS/400 upgrade and maintenance guidance in the supplement was omitted.22 See\nAttachment C for the AS/400 Operating System Upgrade and Maintenance Guidance\ncontained in the supplement.\n\n\n18\n   Draft National Disaster Recovery Plan for IBM AS/400 (i-Series) Processors in the Disability\nDetermination Services, July 2003.\n19\n   In the event of a disaster, the DDS cases would be processed on this AS/400 until arrangements can\nbe made for a permanent replacement of the AS/400 at the DDS.\n20\n   Disability Determination Services Security Document, September 2003.\n21\n   Disability Determination Services Security Document Supplement, AS/400 Platform Security Settings,\nJanuary 31, 2002.\n22\n   Disability Determination Services Security Document Supplement, AS/400 Platform Security Settings,\nChapter IV, Upgrade and Maintenance Guidance, January 31, 2002, pages 19 to 23.\n\x0cPage 6 - Martin H. Gerry\n\nThere are no documented SSA guidance and procedures to monitor and enforce the\nimplementation of current operating system versions and fixes for all DDSs processing\ncases on an AS/400 and the NCC AS/400 used for the National DDS disaster recovery\nplanning. For the most part, SSA relies on IBM for these programs. We encourage the\nAgency to:\n\n     \xe2\x80\xa2   Restore the AS/400 operating system upgrade and maintenance guidance for\n         DDSs that was contained in the January 2002 AS/400 supplement.\n\n     \xe2\x80\xa2   Establish and implement policies and procedures to monitor and enforce\n         AS/400 operating system upgrade and maintenance for all DDS\n         AS/400s promoting greater involvement of SSA in the process.\n\n     \xe2\x80\xa2   Extend the AS/400 security settings monitoring to include AS/400 operating\n         system upgrades and maintenance fixes, if feasible.\n\nRisk Related Suggestions for the eCE Click and Sign Process\n\nWe reviewed the Agency\xe2\x80\x99s E-Authentication Risk Assessment and its Risk Mitigation\nStrategy for the piloted eCE Click and Sign process. Although we believe SSA has\ntaken significant steps for meeting its goal to provide reasonable assurance23 that the\nsender of the eCE has been authenticated, a broader-scoped risk assessment is\nneeded to address risks not covered by these documents. We based our conclusions\non our interviews with project personnel, our review of the documentation provided, and\nour comparison of these documents to the risk assessment portion of the Office of\nManagement and Budget\xe2\x80\x99s (OMB) e-Authentication Guidance.\n\nWe reviewed the Agency\xe2\x80\x99s authentication risk assessment and mitigation reports for the\neCE Click and Sign process and determined that the Agency\xe2\x80\x99s risk assessment\ncomplied with the applicable sections24 of the OMB criteria. The OMB criteria require\nthe completion of the following five steps to determine the appropriate assurance level:\n\n     \xe2\x80\xa2   Conduct a risk assessment of the e-Government system.\n     \xe2\x80\xa2   Map Identified risks to the required assurance level.\n     \xe2\x80\xa2   Select technology based on the NIST e-Authentication technical guidance.\n     \xe2\x80\xa2   After implementation, validate that the information system has operationally\n         achieved the required assurance level.\n\n\n\n\n23\n   GAO/AIMD-00-21-3.1, Standards for Internal Control in the Federal Government, November 1999,\npage 6 states, \xe2\x80\x9cNo matter how well designed and operated, internal control \xe2\x80\xa6 provides reasonable, not\nabsolute, assurance of meeting agency objectives.\xe2\x80\x9d\n24\n   Office of Management and Budget Memorandum M-04-04, E-Authentication Guidance for Federal\nAgencies, December 16, 2003, Attachment A, Section 2, Assurance Levels and Risk Assessments,\npages 4-14.\n27\n   OIG Memorandum, Evaluation of the Accelerated eDib System - Fifth Assessment, March 10, 2004.\n\x0cPage 7 - Martin H. Gerry\n\n      \xe2\x80\xa2   Periodically reassess the information system to determine technology refresh\n          requirements.\n\nThe Agency\xe2\x80\x99s risk assessment included the first three of the five steps. Steps four and\nfive of the criteria were not applicable because the process was still in the pilot phase\nwhen the Agency conducted its risk assessment.\n\nAfter completing the e-Authentication risk assessment, the Agency developed a strategy\nto mitigate the risks identified. SSA\xe2\x80\x99s attentiveness to these areas should contribute to\nthe effectiveness of the National implementation of the process.\n\nWe have three risk-related suggestions for the National implementation of the eCE Click\nand Sign process. First, as designed by OMB, the e-Authentication risk assessment is\nlimited to the risks related to establishing the authenticity of the medical provider. It did\nnot address other risks, which may have been included in the DMA application risk\nassessment, had the eCE Click and Sign process started sooner. Examples of risks not\naddressed by the e-Authentication risk analysis are:\n\n      \xe2\x80\xa2   What controls are in place to ensure that the submitted eCE files are not modified\n          or deleted/lost any time after their receipt by the DDS and used by other SSA\n          components during the claim process?\n\n      \xe2\x80\xa2   What controls are in place to prevent unauthorized physical and logical access to\n          the eCE files?\n\nWe reviewed and commented on the DMA risk assessment in a prior memorandum.27\nIn this memorandum, we reported that the DMA risk assessment needed updating. We\nencourage the Agency to include the eCE Click and Sign process when it updates its\nDMA risk assessment.\n\nSecond, the last SSA Internet screen accessed by a medical provider before submitting\neCE contains language, which acts to certify that the medical provider is electronically\nsigning for the eCE submitted. This screen, as seen on attachment D, has language\nallowing the medical provider to certify that the eCE is accurate. However, it does not\nprovide the information that this certification is \xe2\x80\x9cunder the penalty of perjury\xe2\x80\x9d and that the\neCE is accurate. Although, we realize that paper consultative examinations do not\ncontain the \xe2\x80\x9cunder the penalty of perjury\xe2\x80\x9d clause, we encourage the Agency to consider\nadding this clause to the aforementioned screen. The addition of this clause may assist\nFederal, State, and local prosecutors, as well as SSA attorneys with any fraud\nprosecutions or other Social Security litigation involving this new process.\n\nThird, the regulations29 concerning the signature requirements are quite specific that the\nCE examination reports will be \xe2\x80\x9c\xe2\x80\xa6 personally reviewed and signed by the medical\nsource who actually performed the examination.\xe2\x80\x9d Also, the regulations state that the\nuse of a rubber stamp signature or the \xe2\x80\x9c\xe2\x80\xa6 medical source\xe2\x80\x99s signature entered by any\n29\n     See 20 C.F.R. \xc2\xa7\xc2\xa7 404.1519n(e), 416.919n(e).\n\x0cPage 8 - Martin H. Gerry\n\nother person is not acceptable.\xe2\x80\x9d The electronic equivalent of signing the report by\nsomeone other than the medical provider is for someone to obtain and use the medical\nprovider\xe2\x80\x99s username and password to submit eCE. To promote greater security and\ndiscourage medical provider\xe2\x80\x99s from sharing their username and password, we\nencourage the Agency to add a popup window similar to Image 1 below as the medical\nprovider begins to login to the eData website. Image 1 shows the popup screen\naccessed before a user can obtain a password to access information about their\nbenefits on SSA\xe2\x80\x99s online Social Security Password Services. The addition of this\nwindow may assist Federal, State, and local prosecutors, as well as SSA attorneys with\nany fraud prosecutions or other Social Security litigation involving this new process.\n\nImage 1 Social Security Password Services Popup Window, Acknowledgement for Password Services.\n\x0cPage 9 - Martin H. Gerry\n\nOTHER MATTERS\n\nSSA has initiated a process where claimants no longer have to physically sign a paper\napplication when they file for Social Security and Supplemental Security Income\nbenefits. On February 4, 2004, Commissioner Barnhart approved the adoption of the\nsignature proxy alternatives. Click and Sign is one of those alternatives. Click and Sign\nis achieved when a claimant clicks an Internet \xe2\x80\x98sign\xe2\x80\x99 button representing an affirmation\nof the accuracy of the data and intent to file. In recognition of the significance of the\nClick and Sign process to the Agency, the Office of Inspector General is considering a\nreview of the proxy-signature process used for benefit claims.\n\nThere is no expectation for the Agency to formally respond to this document. If you\nhave any questions or comments, please call me or have your staff contact Kitt Winter,\nDirector, Data Analysis and Technology Audit Division at (410) 965-9702, or Al Darago\nat (410) 965-9710.\n\n\n\n\n                                                S\n                                                Steven L. Schaeffer\n\nAttachments\n\ncc:\nThomas P. Hughes, Chief Information Officer for Social Security Administration\nWilliam E. Gray, Deputy Commissioner for Systems\nLinda S. McMahon, Deputy Commissioner for Operations\nPatrick P. O\xe2\x80\x99Carroll, Jr., Acting Inspector General\nFritz Streckewald, Assistant Deputy Commissioner for Disability and Income Security\n Programs\nCandace Skurnik, Director, Audit Management and Liaison Staff\n\x0c                                                              Attachment A, Page 1 of 2\n\n\nState Operating System Data\nSSA made significant improvements in the operating system versions and the\ncumulative fix levels between December 2003 and March 2004. Fifteen DDSs were\nupgraded from Version 5 Release 1 (V5R1) to Version 5 Release 2 (V5R2) of the\noperating system and 23 DDSs improved their cumulative fix levels. Wyoming\nimproved its cumulative fix to a 2004 level.\n\nThe cumulative fix level is expressed as TL plus the Julian date of the cumulative\nrelease. For example, TL02050 is the 50th day of 2002 or February 19, 2002.\n\n            Operating System Version/Release      Operating System Cumulative Fix Level\n                                    Upgrade                                Improved\n  State     12/31/03     3/31/04     to v5r2       12/31/03     3/31/04       N-No\n                                      N-No                                U-Unknown\nAtlanta Region\n   AL         V5R1          V5R2          1        TL03343       TL03252             N\n   FL         V5R2          V5R2          2        TL03252       TL03252             N\n   GA         V5R1          V5R1          N        TL03175       TL03175             N\n   KY         V5R1          V5R2          3        TL03175       TL03252             1\n   MS         V5R1          V5R2          4        TL03175       TL03252             2\n   NC         V5R1          V5R2          5        TL03343       TL03252             3\n   SC         V5R1          V5R2          6        TL03175       TL03252             4\n   TN         V5R1          V5R2          7        TL03175       TL03252             5\nBoston Region\n   CT        V5R1           V5R1          N        TL02134       TL03175             6\n   MA        V5R1           V5R2           8       TL03175       TL03252             7\n   ME        V5R1           V5R1          N        TL03175       TL03175             N\n   NH        V5R1           V5R2           9       TL03175       TL03252             8\n    RI       V5R1           V5R2          10       TL03175       TL03252             9\n   VT        V5R1           V5R1          N        TL03175       TL03175             N\nChicago Region\n    IL           V5R1       V5R1          N        TL03175       TL03175             N\n    IN           V5R1       V5R2          11       TL03175       TL03252             10\n    MI           V5R1       V5R1          N        TL03175       TL03175             N\n    MN           V5R1       V5R2          12       TL03175       TL03252             11\n    OH           V5R2       V5R2          N        TL03252       TL03252             N\n    WI           V5R1       V5R1          N        TL03007       TL03175             12\nDallas Region\n   AR            V5R1       V5R1          N        TL03175       TL03175             N\n   LA            V5R1       V5R1          N        TL03175       TL03175             N\n   NM            V5R1       V5R1          N        TL03175       TL03175             N\n   OK            V5R2       V5R2          N        TL03252       TL03252             N\n\x0c                                                          Attachment A, Page 2 of 2\n\n\n\n            Operating System Version/Release   Operating System Cumulative Fix Level\n                                    Upgrade                             Improved\n  State     12/31/03     3/31/04     to v5r2    12/31/03     3/31/04       N-No\n                                      N-No                             U-Unknown\n\n   TX         V5R1        V5R2         N        TL03175     TL03252         13\nDenver Region\n   CO         V5R1        V5R1         N        TL03007     TL03175         14\n   MT         V5R1        V5R1         N        TL03175     TL03175         N\n   ND         V5R1        V5R1         N        TL03175     TL03175         N\n   SD         V5R1        V5R1         N        TL03175     TL03175         N\n   UT         V5R1        V5R1         N        TL03175     TL03175         N\n   WY         V5R1        V5R2         13       TL03175     TL04077         15\nKansas City Region\n   IA        V5R1         V5R2         14       TL03175     TL03252         16\n   KS        V5R1         V5R1         N        TL03175     TL03175         N\n   MO        V4R5         V4R5         N                    TL02169         U\nNew York Region\n    NJ         V5R1       V5R1         N                    TL03175          U\n    PR         V5R1       V5R1         N                    TL03175          U\nPhiladelphia Region\n   DC         V5R1        V5R1         N                    TL03175         U\n   DE         V5R2        V5R2         N        TL03161     TL03252         17\n   MD         V5R1        V5R1         N        TL03007     TL03175         18\n   PA         V5R1        V5R1         N        TL03007     TL03175         19\n   VA         V5R1        V5R1         N        TL03175     TL03175         N\n   WV         V5R1        V5R2         15       TL03007     TL03252         20\nSan Francisco Region\n   AZ            V5R1     V5R1         N        TL02134     TL03175         21\n   CA            V5R2     V5R2         N                                    U\nCA-WPSC          V4R5     V4R5         N        TL02169     TL02169         N\n    HI           V5R1     V5R1         N        TL03175     TL03175         N\n   NV            V5R1     V5R1         N                    TL03175         U\nSeattle Region\n   AK            V4R5     V4R5         N        TL02169     TL02169          N\n   ID            V5R1     V5R1         N        TL03175     TL03175          N\n   OR            V5R1     V5R1         N        TL03175     TL03175          N\n   WA            V5R1     V5R1         N        TL03175     TL03175          N\n\x0c                                                             Attachment B, Page 1 of 1\n\n\nProgramming Temporary Fixes\n\nThere are a variety of fixes to correct problems or potential problems found within a\nparticular IBM operating system. Fixes can consist of documentation and/or code.\nFixes are also called Programming Temporary Fixes (PTFs). DDSs need to assess\nwhether a PTF is good for their operations. While cumulative PTFs are considered the\nprimary method of preventive maintenance, they are not the only solution to an effective\npreventive maintenance strategy. Installation of high impact/pervasive (HIPER), group,\nand individual PTFs are also needed.\n\nCumulative PTF\n\nA cumulative PTF package is the primary method of performing preventive maintenance\nfor AS/400 operating systems. Cumulative PTFs are updated periodically (usually\nquarterly), and contain fixes for a specific release of the operating system and\nassociated licensed programs.\n\nA cumulative PTF package includes the following fixes.\n\n \xe2\x80\xa2   All HIPER group fixes for the release.\n \xe2\x80\xa2   The latest database group PTF for the release (for Version 5 releases only).\n \xe2\x80\xa2   All PTFs, including single PTFs and those in group PTFs, that have been ordered a\n     minimum number of times when the package is created (normally 35 orders\n     worldwide).\n\nGroup PTF\n\nA group PTF is a single PTF number that includes multiple and individual PTFs for a\nspecific function, such as database and HIPER PTFs. It allows a group of PTFs to be\nmanaged as a single entity to reduce complexity when dealing with PTFs.\n\nHIPER PTF\n\nHIPER PTFs fix serious or widespread problems. To prevent downtime on your server,\nIBM recommends that you install HIPER PTFs as soon as possible.\n\nIndividual PTFs\n\nIndividual PTFs are single PTFs. Individual PTFs that are not included in a group PTF\nor cumulative PTF package may be critical to DDS operations.\n\x0c                                                                        Attachment C, Page 1 of 5\n\n\n\nAS/400 Operating System Upgrade and Maintenance Guidance\n\n                                                    V. Supplement \xe2\x80\x93 DDS AS/400 Platform Security Settings\n\nIV. UPGRADE AND MAINTENANCE GUIDANCE\n\nAS/400 Upgrades\n\nSSA\xe2\x80\x99s AS/400 Operating System Upgrades\n\nSSA has determined that a prudent software upgrade philosophy is to maintain a reasonably\ncurrent, IBM-supported operating system product level while also assuring that DDS\nproduction systems continue to function normally. Our experience suggests that some\nversion upgrades are more significant than others in terms of affecting functionality. When\nlarge changes are implemented in the operating system, it is more prudent to delay the\nupgrade until the version has been tested with the DDS application software.\n\nDDSs should normally order an OS/400 release after one month, but no later than two\nmonths, after the release date of the first cumulative Program Temporary Fixes (PTF)\npackage for the new release. The High Impact/Pervasive (HIPER) fixes should also be\nordered at this time. It is also critical that all PTF cover letters be reviewed to identify any\npart of the cumulative PTF package that should not be applied.\n\nFor a system upgrade, the vendor of the DDS case processing system should first order and\nevaluate the upgrade timely. Once the vendor has completed testing/research and can be assured\nthat DDS applications will function normally on the new operating system level, or that any\nnecessary program changes have been made, the vendor and DDS should coordinate the OS/400\nsoftware upgrade on the DDS\xe2\x80\x99 AS/400s. If the vendor is an IBM Business Partner, they should\nreceive advance copies of new versions or releases of the Operating System shortly after the GA\nannouncement. This will allow them to make sure that their applications are fully compatible\nwith the new release.\n\nThe OS/400 software upgrade should normally be installed on the first AS/400 in a DDS within\none month after physically receiving the software upgrade. However, if DDSs obtain upgrade\nsupport from a vendor, the installation schedule should be coordinated with the vendor. At least\n1 week should elapse between additional installations to guarantee stability for the other\nAS/400s.\n\nAdherence to this software upgrade policy will enable any problems introduced with the OS/400\nsoftware to be experienced, identified, and resolved before the OS/400 software upgrade is\npropagated to additional AS/400 systems. In addition, following this software upgrade policy\nwill enable the DDS AS/400s to maintain a reasonably current OS/400 operating system level.\n\nTo obtain new OS/400 releases/versions, DDS IT Staff should call their IBM National Customer\nRelationship Representative or IBM National Client Representative. They can also be obtained\nthrough the IBM DDS Gold Service contact in Atlanta, at (770) 863-1788.\nDDS Security Document Supplement (December 2001)                                              19\n\x0c                                                                       Attachment C, Page 2 of 5\n\n                                                   V. Supplement \xe2\x80\x93 DDS AS/400 Platform Security Settings\n\nIBM AS/400 Operating System Upgrades\n\nOS/400 upgrades occur when IBM has developed a new version/release of the OS/400 Operating\nSystem and IBM Program Products. IBM does extensive testing of the new version or release of\nthe Operating System prior to a General Availability (GA) announcement, i.e., a release to the\ngeneral public. Generally, most IBM Business Partners (BPs), Value Added Retailers (VARs),\nand Application Developers (ADs), through their established relationship with IBM, get\nadvanced releases or receive the new version or release of the Operating System shortly after the\nGA announcement. This allows them to make sure that their products are fully compatible with\nthe new release.\n\nThere are several reasons for users to periodically upgrade their OS/400 Operating Systems.\nEvery release of OS/400 has a defined Program Services period. The Program Services period\nbegins when an OS/400 upgrade is announced/released. The ending date of the Program\nServices period is included as part of the announcement letter for that particular release of\nOS/400. During the Program Services period, IBM will accept reported problems with the\nrelease and, if necessary, IBM will produce corrective fixes. At the end of that Program Services\nperiod, IBM will no longer accept any problems for analysis.\nAnother reason to upgrade to a current release is that, once a release has reached its end of\nProgram Services, a user will generally not be able to upgrade in a single step directly to a later\nrelease. If a user cannot upgrade directly to a new release, the user will need to do a multiple-\nstep upgrade. In other words, the user will need to upgrade to an interim release, and then the\nuser will need to upgrade to the latest release. A user can also remain too long on a release, so\nthat if a number of subsequent releases have been made there may be no supported way for the\nuser to upgrade the OS/400 Operating System. This situation may require expensive custom\nservices to perform the upgrade from the user\xe2\x80\x99s back-level release.\n\nAS/400 Maintenance\nSSA\xe2\x80\x99s AS/400 Maintenance Policy\n\nIBM releases Cumulative PTFs for the AS/400 Operating System and related products\napproximately every 3 months. IBM recommends that \xe2\x80\x9cCumulative PTF packages should\nbe installed every three to four months if there is no change to the equipment or programs\non your system\xe2\x80\x9d.\n\nSSA has determined that a prudent maintenance policy is to order the Cumulative PTF Package\nafter 1 month of its release, but no later than 2 months after the release date. The HIPER PTFs\nfor the Cumulative PTF maintenance should also be ordered when the Cumulative PTF Package\nis ordered.\n\nThe Cumulative PTF Package should normally be installed on the first AS/400 within 3 weeks\nafter physically receiving the maintenance package. However, if a DDS obtains maintenance\nsupport from a vendor, the installation schedule should be coordinated with the\n\nDDS Security Document Supplement (December 2001)                                             20\n\x0c                                                                       Attachment C, Page 3 of 5\n\n                                               V. Supplement \xe2\x80\x93 DDS AS/400 Platform Security Settings\n\nvendor. At least 1 week should elapse between additional installations.\n\nAdherence to this maintenance policy will enable any problems introduced with the\nCumulative PTF Package to be experienced, identified, and resolved before the Cumulative\nPTF maintenance is propagated to additional AS/400 systems. In addition, following this\nmaintenance policy will enable the DDS\xe2\x80\x99 AS/400s to maintain a reasonably current PTF\nmaintenance level.\n\nTo obtain OS/400 Operating System maintenance products, DDS IT Staff can call the IBM\nAS/400 Support Line at (800) 237-5511, as well as order them through their IBM AS/400\nElectronic Customer Support (ECS) (modem connection) and IBM\xe2\x80\x99s Technical Support Web site\nat http://www-912.ibm.com.\n\n\nIBM AS/400 Operating System Maintenance\n\nThe second process in supporting the IBM AS/400 Operating System is regular maintenance.\nMaintenance includes the following alerts, fixes, and support:\n\nAlerts\nAlerts provide automatic problem prevention notification, defect identification and resolution\ninformation specific to your operating environment. SSA provides this service for all AS/400s\nthat it has procured.\n\nProgram Temporary Fixes (PTFs)\nPTFs are fixes for the OS/400 Operating System. They are code changes created to correct\nproblems or potential problems found within either a particular IBM licensed program or a\nparticular non-IBM program. PTFs are designed to replace one or more objects in the licensed\nprogram. Generally, PTFs are incorporated in a future full-release version of the operating\nsystem.\n\nHigh Impact/Pervasive (HIPER) PTFs\nHIPER PTFs are those that affect a majority of customers.\n\nCumulative PTF Packages (CUMs)\nCUMs is the primary method of performing preventive maintenance on the OS/400 Operating\nSystem and IBM licensed programs. There are several reasons to routinely install CUMs.\nCumulative PTF Packages contain recommended PTFs that will correct problems, or potential\nproblems, with the OS/400 Operating System and IBM licensed programs; and they are updated\non a periodic basis. A routine Cumulative PTF Package maintenance strategy will reduce the\npotential of unplanned outages and program failures.\n\n\n\n\nDDS Security Document Supplement (December 2001)                                             21\n\x0c                                                                       Attachment C, Page 4 of 5\n\n                                               V. Supplement \xe2\x80\x93 DDS AS/400 Platform Security Settings\n\nGroup PTFs\nA Group PTF is a single PTF that provides a logical set of fixes affecting a specific function,\ne.g., database, HIPERs, etc. Group PTFs are dynamically updated when new fixes become\navailable for the affected function.\n\nAuthorized Program Analysis Report (APAR)\nAPAR is a problem report specific to an IBM program (and release), with an associated fix\n(usually a PTF or workaround).\n\nStandard Defect Support\nThe OS/400 Operating System comes with Standard Defect Support. If a customer suspects a\ncode problem, they can call IBM if they have AS/400 Support Line; if they don\xe2\x80\x99t have AS/400\nSupport Line, they must email, fax, or mail their request to IBM. However, SSA provides\nongoing IBM Support Line services for all AS/400s that have been purchased for the DDS and\nSSA communities. IBM will work with the customer to resolve the issue. If necessary, IBM\nwill provide a work-around (APAR) or code fix (PTF). Standard support will always be for the\ncurrent release plus one level back. When a new release/version is made available, three releases\nmay be supported for a short period of time--the current new release plus the 2 previous levels.\n\nExtended Usage Support\nExtended Usage Support provides the standard AS/400 Support Line for versions/releases of\nOS/400 and associated IBM software products that are no longer current; i.e., the product is no\nlonger sold and defect support has been discontinued. Generally, support is provided only for\nthe current OS/400 release and the two previous releases.\n\nExtended Defect Support\nExtended Defect Support provides defect support (APARs and PTFs) for OS/400 and associated\nIBM software products that are no longer current; i.e., the product is no longer sold and standard\ndefect support has been discontinued. Extended Defect Support is only available for a limited\ntime. Without Extended Defect Support the \xe2\x80\x9cfix\xe2\x80\x9d would be to upgrade to the current release. It\nis unlikely that a PTF will be required for a release that is \xe2\x80\x9cout of support.\xe2\x80\x9d Extended Defect\nSupport is a temporary solution generally used by large customers with many machines who\nforesee the inability to bring their systems to a supported release in a timely fashion.\n\nIBM AS/400 Software and Hardware Support Web Sites\n\nFollowing are IBM Web Sites that provide detailed information on IBM AS/400 Operating\nSystem and Hardware support:\n\n\n1. General Information on Program Services\n       http://www-912.ibm.com/supporthome.nsf/document/10000080\n\n2. Software Subscription\n       http://www-1.ibm.com/servers/eserver/iseries/sftsol/subscript.htm\n\nDDS Security Document Supplement (December 2001)                                             22\n\x0c                                                                       Attachment C, Page 5 of 5\n\n                                               V. Supplement \xe2\x80\x93 DDS AS/400 Platform Security Settings\n\n\n\n3. Support Line\n       http://www-1.ibm.com/services/its/us/mus62d1.html\n\n4. Alerts\n        http://www-1.ibm.com/services/its/us/alert.html\n\n5. Hardware Maintenance\n       http://www-1.ibm.com/services/its/us/hardmain.html\n\n\n\n\nDDS Security Document Supplement (December 2001)                                             23\n\x0c                                                               Attachment D, Page 1 of 1\n\n\nClick and Sign Certification Screen\n\nOnce the medical provider has logged onto the Internet successfully and has identified\nwhich DDS is to receive the files containing the consultative examination (CE) files, a\ncertification screen is displayed. By clicking on the \xe2\x80\x9cAgree\xe2\x80\x9d button, this screen creates\nthe CE provider\xe2\x80\x99s electronic signature that certifies the accuracy of the CE files\nsubmitted. The Agency refers to this process as the eCE Click and Sign. Image A\nshows the details of the eCE Click and Sign screen.\n\nImage A Click and Sign Certification for Electronic Consultative Examination\nSubmission\n\x0c'